"The purpose of the deployment of the sanitary pass as a tool for access control is not in the spirit of restricting the movements of citizens, but rather to promote a responsible movement that can strengthen collective health, promote the prerequisites for a widespread recovery of economic activity, support the mobility of citizens and residents in Morocco, both nationally and internationally, the CNDP said in a statement at the end of an extraordinary meeting held on Wednesday to rule, from the point of view of the protection of personal data, on the process of deployment of the vaccine pass (which has evolved positively to a sanitary pass).

In relation to this purpose, the statement added, the CNDP considers that, despite some improvements to be made, the principle of proportionality, within the mobile application in its current version, is respected, given the fact that the QR code reader for use in Morocco only allows access to the information already available and readable in clear on the sanitary pass, noting that no connection to any server is operated. Therefore, no traceability of citizens' movements is deployed through this channel.

In addition, the QR code reader for use in Europe “requires a connection to servers managed by European authorities, regulated by European laws on personal data protection," according to the document, adding that this QR code for use in Europe is made available to Moroccan citizens for the sole purpose of facilitating their international mobility.

 In this regard, the Commission called for the publication of adequate legal mentions and the inhibition of the ability to take screenshots that could pave the way to a potential non-civic use of the access controller, stressing that inhibiting screenshots will prevent local storage of displayed information.

Also, the CNDP will evaluate with the developers of the mobile application the impact on the protection of personal data in the event that the application is published on the various stores (Google Store, Apple Store, etc.).

The Commission considers, based on the information currently available, that the use of the mobile application does not present a risk of systematic tracking or access to information other than that already visible to the naked eye on the sanitary pass.

The CNDP also noted that it will continue to monitor future developments and will report any identified risk to the data controller and to citizens, adding that it is at the disposal of citizens to collect and investigate any complaint relating to a failure to respect personal data.

Furthermore, the CNDP draws the attention of the various institutions, organizations and companies to the spirit of the current deployment of the health pass, which must not result in any storage.

For example, the actors who decide to store the health passes of their employees, or the information contained therein, become de facto data controllers within the scope of Law 09-08, and must therefore comply by making the necessary notifications of data processing to the CNDP, the same source added.

Regarding the other elements of the debate, notably the obligation or not of the vaccination, the CNDP considers that this point is not within its competence which relies on the sanitary authorities to treat this subject.

On the empowerment of access controllers to ask for the presentation of the national ID, the CNDP considers that the subject is related to the fear of the citizens to see their identification number accessible by non-authorized actors increasing the risk of reusing this identification number for other purposes.

This point must be studied seriously, especially if this practice becomes part of our daily life, beyond the period of the sanitary emergency, said the CNDP, adding that the implementation of a sector-specific identifier for the sanitary pass may be a solution.

Concerning the importance of prior preparation and upstream information to allow the necessary time for the preparation of the deployment, this point is not within the scope of competence of the CNDP and the CDAI (Commission du Droit d’Accès à l’Information) will express itself on the subject in the next few days.

In this context, the CNDP decides to launch a consultation on the establishment of a sectorial identifier layer that should protect the existence of a less sectorial identifier necessary for the planning of public policies, for the execution of judicial procedures and elements that may relate to internal or external security issues of the State.

The CNDP, according to the statement, also calls for the organization of a governmental seminar dedicated to the definition of an architecture of identifiers from the point of view of personal data protection, in compliance with Morocco’s Constitution and the international conventions ratified by the Kingdom.

The various concepts to be deployed must go beyond a merely technical vision and take into consideration the imperatives of strengthening Digital Trust, a prerequisite for the necessary advances in the responsible deployment of digital technology at the service of our economy and society, the same source stressed.

Moreover, the CNDP recalled the protection of personal data in the context of the deployment process of the vaccine pass, announced as limited in time during the period of the state of health emergency, noting that the Commission's mission, among others, is to monitor the protection of personal data regardless of their media (paper, digital, sound, image, etc.).

The sanitary pass, to date, presents readable information, a QR code for use in Morocco and a QR code for use in Europe, said the statement, stressing that the use of personal data must comply with Law 09-08 and, thus, take into account the principle of proportionality, while respecting the purposes displayed.